Service chains for inter-cloud traffic

US 10,666,612 B2
Filed: 06/06/2018
Issued: 05/26/2020
Est. Priority Date: 06/06/2018
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, via a network device, from one or more endpoints on a private network site, domain name system (DNS) queries associated with respective cloud domains;

based on the DNS queries, collecting DNS information associated with the respective cloud domains;

spoofing, via the network device, DNS entries associated with the respective cloud domains to yield spoofed DNS entries, the spoofed DNS entries defining a reduced number of IP addresses for each respective cloud domain, wherein the reduced number of IP addresses is smaller than a total number of IP addresses allocated to the respective cloud domain, and wherein the reduced number of IP addresses comprises one or more respective IP addresses identified in the collected DNS information;

based on the spoofed DNS entries, creating, via the network device, respective IP-to-domain mappings for the respective cloud domains, wherein each respective IP-to-domain mapping associates the respective cloud domain with an IP address from the reduced number of IP addresses associated with the respective cloud domain;

based on the respective IP-to-domain mappings, programming, on the network device, respective service chains for traffic between the private network site and the respective cloud domains, wherein each respective service chain is programmed via one or more policies configured to route, through the respective service chain, traffic having source information associated with the private network site and destination information matching the IP address in the respective IP-to-domain mapping associated with the respective cloud domain; and

in response to receiving traffic having source information associated with the private network site and destination information matching the IP address in the respective IP-to-domain mapping associated with the respective cloud domain, routing the traffic through the respective service chain based on the one or more policies associated with the respective service chain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable media for creating service chains for inter-cloud traffic. In some examples, a system receives domain name system (DNS) queries associated with cloud domains and collects DNS information associated the cloud domains. The system spoofs DNS entries defining a subset of IPs for each cloud domain. Based on the spoofed DNS entries, the system creates IP-to-domain mappings associating each cloud domain with a respective IP from the subset of IPs. Based on the IP-to-domain mappings, the system programs different service chains for traffic between a private network and respective cloud domains. The system routes, through the respective service chain, traffic having a source associated with the private network and a destination matching the IP in the respective IP-to-domain mapping.

344 Citations

20 Claims

1. A method comprising:
- receiving, via a network device, from one or more endpoints on a private network site, domain name system (DNS) queries associated with respective cloud domains;
  
  based on the DNS queries, collecting DNS information associated with the respective cloud domains;
  
  spoofing, via the network device, DNS entries associated with the respective cloud domains to yield spoofed DNS entries, the spoofed DNS entries defining a reduced number of IP addresses for each respective cloud domain, wherein the reduced number of IP addresses is smaller than a total number of IP addresses allocated to the respective cloud domain, and wherein the reduced number of IP addresses comprises one or more respective IP addresses identified in the collected DNS information;
  
  based on the spoofed DNS entries, creating, via the network device, respective IP-to-domain mappings for the respective cloud domains, wherein each respective IP-to-domain mapping associates the respective cloud domain with an IP address from the reduced number of IP addresses associated with the respective cloud domain;
  
  based on the respective IP-to-domain mappings, programming, on the network device, respective service chains for traffic between the private network site and the respective cloud domains, wherein each respective service chain is programmed via one or more policies configured to route, through the respective service chain, traffic having source information associated with the private network site and destination information matching the IP address in the respective IP-to-domain mapping associated with the respective cloud domain; and
  
  in response to receiving traffic having source information associated with the private network site and destination information matching the IP address in the respective IP-to-domain mapping associated with the respective cloud domain, routing the traffic through the respective service chain based on the one or more policies associated with the respective service chain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein collecting DNS information comprises:
    - forwarding the DNS queries associated with the respective cloud domains to one or more DNS servers;
      
      receiving, by the network device, one or more DNS resolution results from the one or more DNS servers;
      
      snooping, by the network device, the one or more DNS resolution results; and
      
      based on the snooping, identifying, by the network device, the DNS information associated with the respective cloud domains.
  - 3. The method of claim 2, wherein the IP address associated with the respective cloud domain in the respective IP-to-domain mapping comprises at least one of a private IP address assigned by the network device to the respective cloud domain or a virtual IP address assigned by the network device to the respective cloud domain, the at least one of the private IP address or the virtual IP address corresponding to the spoofed DNS entries.
  - 4. The method of claim 2, wherein the reduced number of IP addresses associated with the respective cloud domain comprises a subset of the total number of IP addresses allocated to the respective cloud domain, wherein the IP address in the respective IP-to-domain mapping associated with the respective cloud domain is from the subset of the total number of IP addresses allocated to the respective cloud domain.
  - 5. The method of claim 4, wherein the subset of the total number of IP addresses allocated to the respective cloud domain is selected from the DNS information associated with the one or more DNS resolution results.
  - 6. The method of claim 2, further comprising:
    - in response to receiving the one or more DNS resolutions results from the one or more DNS servers, sending, by the network device to the one or more endpoints on the private network site, one or more DNS responses to the DNS queries, the one or more DNS responses identifying at least one of the reduced number of IP addresses.
  - 7. The method of claim 6, wherein the at least one of the reduced number of IP address identified in the one or more DNS responses comprises at least one of a virtual IP or a public IP allocated to the respective cloud domain, the public IP being determined based on the snooping of the one or more DNS resolution results.
  - 8. The method of claim 1, wherein the respective service chains are configured for traffic associated with respective cloud services from the respective cloud domains, wherein programming the respective service chains comprises programming respective cloud service names for the respective cloud services and associating at least one of the respective service chains or the IP-to-domain mappings with the respective cloud service names.
  - 9. The method of claim 1, further comprising:
    - receiving, via the network device, one or more service chain configuration requests identifying the respective service chains to be configured for traffic between the private network site and respective cloud domains, wherein each of the respective service chains comprises a respective sequence of appliances for processing the traffic.
  - 10. The method of claim 1, wherein the one or more policies comprise access control list (ACL) entries, the ACL entries comprising a respective ACL entry for each service in the respective service chain, wherein each respective ACL entry specifies a source address associated with the one or more endpoints in the private network site, a destination address comprising the IP address in the respective IP-to-domain mapping associated with the respective cloud domain, and an instruction to route traffic to the service when a source and destination of the traffic match the source address and the destination address in the respective ACL entry.
  - 11. The method of claim 10, wherein programming the respective service chains comprises programming the ACL entries on a hardware storage device in the network device, and wherein routing the traffic comprises receiving the traffic at the network device and, based on a lookup of the ACL entries programmed on the hardware storage device, matching the source and destination of the traffic to a respective source address and destination address in one of the ACL entries.

12. A network device comprising:
- one or more processors; and
  
  at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the network device to;
  
  receive, from one or more endpoints on a private network site, domain name system (DNS) queries associated with respective cloud domains;
  
  based on the DNS queries, collect DNS information associated with the respective cloud domains;
  
  spoof DNS entries associated with the respective cloud domains to yield spoofed DNS entries, the spoofed DNS entries defining a reduced number of IP addresses for each respective cloud domain, wherein the reduced number of IP addresses is smaller than a total number of IP addresses allocated to the respective cloud domain, and wherein the reduced number of IP addresses comprises one or more respective IP addresses identified in the collected DNS information;
  
  based on the spoofed DNS entries, create respective IP-to-domain mappings for the respective cloud domains, wherein each respective IP-to-domain mapping associates the respective cloud domain with an IP address from the reduced number of IP addresses associated with the respective cloud domain;
  
  based on the respective IP-to-domain mappings, program, on the network device, respective service chains for traffic between the private network site and the respective cloud domains, wherein each respective service chain is programmed via one or more policies configured to route, through the respective service chain, traffic having source information associated with the private network site and destination information matching the IP address in the respective IP-to-domain mapping associated with the respective cloud domain; and
  
  in response to receiving traffic having source information associated with the private network site and destination information matching the IP address in the respective IP-to-domain mapping associated with the respective cloud domain, route the traffic through the respective service chain based on the one or more policies associated with the respective service chain.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, wherein collecting DNS information comprises:
    - forwarding the DNS queries associated with the respective cloud domains to one or more DNS servers;
      
      receiving one or more DNS resolution results from the one or more DNS servers;
      
      snooping the one or more DNS resolution results; and
      
      based on the snooping, identifying the DNS information associated with the respective cloud domains.
  - 14. The system of claim 13, wherein the IP address associated with the respective cloud domain in the respective IP-to-domain mapping comprises at least one of a private IP address assigned by the network device to the respective cloud domain or a virtual IP address assigned by the network device to the respective cloud domain, the at least one of the private IP address or the virtual IP address corresponding to the spoofed DNS entries.
  - 15. The system of claim 13, wherein the reduced number of IP addresses associated with the respective cloud domain comprises a subset of the total number of IP addresses allocated to the respective cloud domain, wherein the IP address in the respective IP-to-domain mapping associated with the respective cloud domain is from the subset of the total number of IP addresses allocated to the respective cloud domain.
  - 16. The system of claim 12, wherein programming the one or more policies comprises programming access control list (ACL) entries on a hardware memory device in the network device, the ACL entries comprising a respective ACL entry for each service in the respective service chain, each respective ACL entry specifying a source address associated with the private network site, a destination address comprising the IP address in the respective IP-to-domain mapping associated with the respective cloud domain, and an instruction to route traffic to the service when a source and destination of the traffic match the source address and destination address in the respective ACL entry.

17. A non-transitory computer-readable storage medium having stored therein instructions which, when executed by one or more processors, cause a network device to:
- receive, from one or more endpoints on a private network site, domain name system (DNS) queries associated with respective cloud domains;
  
  based on the DNS queries, collect DNS information associated with the respective cloud domains;
  
  alter DNS entries associated with the respective cloud domains to yield altered DNS entries, the altered DNS entries defining a reduced number of IP addresses for each respective cloud domain, the reduced number of IP addresses being smaller than a total number of IP addresses allocated to the respective cloud domain, wherein the reduced number of IP addresses comprises one or more respective IP addresses identified in the collected DNS information;
  
  based on the altered DNS entries, create respective IP-to-domain mappings for the respective cloud domains, wherein each respective IP-to-domain mapping associates the respective cloud domain with an IP address from the reduced number of IP addresses associated with the respective cloud domain;
  
  based on the respective IP-to-domain mappings, program respective service chains for traffic between the private network site and the respective cloud domains, wherein each respective service chain is programmed via one or more policies configured to route, through the respective service chain, traffic having source information associated with the private network site and destination information matching the IP address in the respective IP-to-domain mapping associated with the respective cloud domain; and
  
  in response to receiving traffic having source information associated with the private network site and destination information matching the IP address in the respective IP-to-domain mapping associated with the respective cloud domain, route the traffic through the respective service chain based on the one or more policies associated with the respective service chain.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein the one or more policies comprise access control list (ACL) entries, the ACL entries comprising a respective ACL entry for each service in the respective service chain, wherein each respective ACL entry specifies a source address associated with the one or more endpoints in the private network site, a destination address comprising the IP address in the respective IP-to-domain mapping associated with the respective cloud domain, and an instruction to route traffic to the service when a source and destination of the traffic match the source address and the destination address in the respective ACL entry.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein programming the respective service chains comprises programming the ACL entries on a hardware storage device in the network device, and wherein routing the traffic comprises receiving the traffic at the network device and, based on a lookup of the ACL entries programmed on the hardware storage device, matching the source and destination of the traffic to a respective source address and destination address in one of the ACL entries.
  - 20. The non-transitory computer-readable storage medium of claim 17, wherein the IP address associated with the respective cloud domain in the respective IP-to-domain mapping comprises at least one of a virtual IP address assigned by the network device to the respective cloud domain or a public IP address allocated to the respective cloud domain and identified by the network device based on one or more of the DNS queries, wherein at least one of the virtual IP address or the public IP address corresponds to the altered DNS entries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sundararajan, Balaji, Sharma, Samar
Primary Examiner(s)
Chan, Sai Ming

Application Number

US16/001,039
Publication Number

US 20190379635A1
Time in Patent Office

720 Days
Field of Search

370392
US Class Current
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/22   Alternate routing

H04L 45/243   using M+N parallel active p...

H04L 45/306   Route determination based o...

H04L 45/38   Flow based routing

H04L 45/64   using an overlay routing layer

H04L 45/74   Address processing for routing

H04L 61/256   NAT traversal

H04L 61/4511   using domain name system [DNS]

H04L 63/101   Access control lists [ACL]

Service chains for inter-cloud traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

344 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Service chains for inter-cloud traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

344 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links